SR 26-2 Supersedes SR 11-7 — and the Arcus SR 26-2 Model Risk Suite Is Available Today
On April 17, 2026, the Federal Reserve, OCC, and FDIC issued revised interagency guidance on model risk management — SR 26-2 at the Fed, Bulletin 2026-13 at the OCC — superseding SR 11-7 after fifteen years. The new guidance is risk-based and non-prescriptive: oversight scales with model materiality rather than a fixed tiering checklist. Today we’re announcing the SR 26-2 Model Risk Management Graph Suite, available as an enterprise offering. It runs alongside our SR 11-7 suite on the same reasoning engine — only the regulation layer changed. That is the architectural thesis made concrete: when the rulebook changes, you re-point the citation pack, not rebuild the engine.
What happened on April 17
The Board of Governors, the OCC, and the FDIC jointly issued the Revised Guidance on Model Risk Management, which supersedes and replaces SR 11-7 (issued April 4, 2011) and SR 21-8, the 2021 interagency statement on model risk management for BSA/AML systems. The OCC issued it as Bulletin 2026-13 and rescinded its 2011-12 bulletin along with the Model Risk Management booklet of the Comptroller’s Handbook. The guidance is expected to be most relevant to banking organizations with over $30 billion in total assets.
The shift in posture is the story. SR 11-7 read as a set of requirements; institutions built rigid model tiers and annual revalidation calendars around it. SR 26-2 explicitly does not set forth enforceable standards or prescriptive requirements. Instead, it describes sound principles, tailored to the model’s materiality and the organization’s size and complexity. Model risk is framed as inherent risk times model materiality, where materiality combines exposure and purpose. Higher materiality demands more rigorous oversight; lower materiality earns a proportionate, lighter-touch review.
What did not change matters just as much. The three components of validation — conceptual soundness, outcomes analysis, and ongoing monitoring — are retained. So is effective challenge, the core discipline of critical review by qualified parties with the incentive and authority to push back. And the guidance draws one notable boundary: generative-AI and agentic-AI models are out of its scope. The substance of good model risk management survived. The rigidity did not.
The announcement
The SR 26-2 Model Risk Management Graph Suite is now available as an enterprise offering. It is a first-class model-risk domain running alongside our existing SR 11-7 suite: both are selectable from the Graph Library, both produce sealed reasoning traces, section-anchored dossiers, and population Reports of Examination, and both roll up into the governance dashboard. An institution can validate a model package under whichever standard applies to it — or adjudicate the same package under both and diff the dossiers, which is exactly what a transition year calls for.
Same engine, different rulebook
Here is what we did not do: retrain a model, rewrite a reasoning engine, or rebuild a validation pipeline. The SR 26-2 domain reuses, byte-for-byte, the machinery already proven under SR 11-7. The IRG reasoning graph and its adjudication topology are shared. The effective-challenge function is shared — the adversary node is SR 26-2’s effective challenge, steelmanning the model under review and then challenging it in both directions: against under-challenge (rubber-stamping) and against over-challenge (disproportionate demands), calibrated to the locked risk rating. The deterministic tool-nodes for math verification and back-testing are shared — they compute in code, consume zero LLM tokens, are byte-reproducible, and are authoritative: the model may not recompute or override them. The formal-proof layer is shared — every determination is discharged as a step-by-step derivation from definitions and assumptions through numbered propositions, each citing a section, an evidence item, or a prior step.
What changed is the regulation layer, and only the regulation layer. The classification node now locks a model risk rating from inherent risk and materiality rather than a Tier 1/2/3 label. The citation pack anchors findings to SR 26-2’s sections — development and use, validation and monitoring, governance and controls, vendor and third-party risk. The conclusion vocabulary follows the new framing: fit for use, fit with conditions, or not fit for use, stated at the model’s materiality. And a scope guard flags generative-AI and agentic-AI packages as outside the 2026 guidance.
This is the argument we have been making since we published the protocol: when regulation lives in an inspectable citation pack and deterministic rule tools — rather than baked into model weights or scattered through prompt spaghetti — a regulatory change is a configuration change. The agencies replaced fifteen years of guidance in a single interagency release. We re-pointed the pack, updated the section anchors, and shipped. The engine, the challenge logic, the proof layer, and the governance surfaces were untouched.
New in this release: deterministic fair-lending analysis
The suite’s one net-new capability sits under SR 26-2’s outcomes analysis: a deterministic fair-lending / disparate-impact tool. Given decision counts, it computes in code the statistics regulators actually use — the Adverse Impact Ratio, the four-fifths (80%) rule flag with a watch zone below 0.90, statistical significance, and the practical shortfall: how many additional approvals a group would need to clear the 80% bar.
The tool carries a discipline guardrail by design. It surfaces the statistical evidence and requires a least-discriminatory-alternative and business-justification review — it does not assert a legal fair-lending conclusion, because disparate treatment and disparate impact are legal determinations. A failed 80% rule that is statistically significant is a high-severity outcomes finding to escalate, not a verdict. And because the tool is regulation-neutral, it lives in the shared library: SR 11-7 runs get it too.
Why this matters if you run model risk
SR 26-2’s risk-based posture is a gift and a test. The gift is proportionality: you are no longer defending a one-size-fits-all revalidation calendar. The test is that proportionality must be demonstrated. If oversight scales with materiality, an examiner will ask how you rated materiality, what rigor followed from the rating, and whether the challenge applied was effective rather than performative. Those are questions about process, and they are only answerable if the process leaves artifacts.
Every run in the suite produces those artifacts by architecture: a section-anchored dossier, the deterministic tool blocks an examiner can re-run exactly, a machine-checked formal proof, and a governance-dashboard posture with epistemic integrity scores, gate-holds, and risk flags. The hard numbers are computed in code and reproducible; the LLM reasons around them under verify-gating rather than inventing them. To be clear about what this is: a governance architecture that produces examination-grade artifacts — not a certification, and not a substitute for your institution’s own regulatory judgment. No vendor can hand you supervisory sign-off. What we can hand you is a decision record that survives scrutiny.
The agencies rewrote the rulebook after fifteen years, and our answer was a config change. That’s not a boast about speed — it’s the point of the architecture. When reasoning is governed by an explicit graph and regulation lives in an inspectable layer, the next guidance change is a re-point, too.